Configuring Pki; Overview; Pki Terminology; Pki Architecture - HP 1910 User Manual

Configuring PKI

Overview

The Public Key Infrastructure (PKI) is a hierarchical framework designed for providing information security
through public key technologies and digital certificates and verifying the identities of the digital
certificate owners.
PKI employs digital certificates, which are bindings of certificate owner identity information and public
keys. It allows users to obtain certificates, use certificates, and revoke certificates. By leveraging digital
certificates and relevant services like certificate distribution and blacklist publication, PKI supports
authenticating the entities involved in communication, and thus guaranteeing the confidentiality, integrity,
and non-repudiation of data.

PKI terminology

Digital certificate
A digital certificate is a file signed by a certificate authority (CA) that contains a public key and the
related user identity information. A simplest digital certificate contains a public key, an entity name, and
a digital signature from the CA. Generally, a digital certificate also includes the validity period of the key,
the name of the CA and the sequence number of the certificate. A digital certificate must comply with the
international standard of ITU-T_X.509. This document involves local certificate and CA certificate. A local
certificate is a digital certificate signed by a CA for an entity. A CA certificate, also known as a "root
certificate", is signed by the CA for itself.
CRL
An existing certificate might need to be revoked when, for example, the user name changes, the private
key leaks, or the user stops the business. Revoking a certificate will remove the binding of the public key
with the user identity information. In PKI, the revocation is made through certificate revocation lists (CRLs).
Whenever a certificate is revoked, the CA publishes one or more CRLs to show all certificates that have
been revoked. The CRLs contain the serial numbers of all revoked certificates and provide an effective
way for checking the validity of certificates.
A CA might publish multiple CRLs when the number of revoked certificates is so large that publishing
them in a single CRL might degrade network performance.
CA policy
A CA policy is a set of criteria that a CA follows in processing certificate requests, issuing and revoking
certificates, and publishing CRLs. Usually, a CA advertises its policy in the form of certification practice
statement (CPS). A CA policy can be acquired through out-of-band means such as phone, disk, and
email. As different CAs might use different methods to check the binding of a public key with an entity,
make sure that you understand the CA policy before selecting a trusted CA for certificate request.

PKI architecture

A PKI system consists of entities, a CA, a registration authority (RA) and a PKI repository.
449